How can we improve SSL handshake to increase the security?

2018-05-30 06:18:00

During SSL handshake, the server send the client its(server's) public key and then client creates a session key and encrypt it with the server's public key and send it to the server. The server then decrypt the message with its private key and retrive the session key. The further communication between server and client is then secured using symmetric key.

Now here, if the initial public key sent by server goes to malicious device then it will create its own session key and encrypt it with the public key and send it to the server. Then the whole communication will take place betwneen server and malicious device. How can we fix it?

I'm not sure that you quite have this right. The connection is supposed to be:

client <--> server

The client knows that it's talking to the server due to the SSL handshake and validation of the server certificate. Your question is what would happen if:

client  //   MiTM <--> server

with the client being out of the communication loop. In this situation the server's standard authentication and authorization will view the MiTM as an unauthorized client and provide it with no sensitive data.

Perhaps you're asking what happens if the initial connection is something like:

client <--> MiTM <--> server

where the MiTM is some malicious network appliance. At first the server talks to the client to get the user authenticated but then (unknowningly) begins speaking to the MiTM. This can't happen as the user won't authenticate until the SSL connection is set up. As SSL connections are designed to deal with malicious MiTM attacks successfully, the MiTM can see the traffic but can't understand it.

The key insight here is that the server won't trust a client until it gets an authentication over SSL and the client won't authenticate until it gets a secure SSL channel. Once the SSL channel is correctly established between the client and server, MiTMs are powerless to do anything besides block the connection.

In short, SSL works.

链接地址: http://www.djcxy.com/p/3710.html

上一篇: 男子在中间发作

下一篇: 我们如何改进SSL握手以提高安全性？